CVE-2018-10847

low-risk
Published 2018-07-30

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10 Medium
NETWORK / HIGH complexity

Affected Products (3)

Prosody
Prosody
Prosody

Affected Vendors

Prosody

References (10)

Vendor Advisory https://blog.prosody.im/prosody-0-10-2-security-release/
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
Vendor Advisory https://issues.prosody.im/1147
Vendor Advisory https://prosody.im/security/advisory_20180531/
Third Party Advisory https://www.debian.org/security/2018/dsa-4216
Vendor Advisory https://blog.prosody.im/prosody-0-10-2-security-release/
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
Vendor Advisory https://issues.prosody.im/1147
Vendor Advisory https://prosody.im/security/advisory_20180531/
Third Party Advisory https://www.debian.org/security/2018/dsa-4216
27
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 4/34 · Minimal
Exposure 9/34 · Low